FTC Safeguards Rule for Auto Dealers: Everything You Need to Know
The Federal Trade Commission (FTC) regulates the automobile industry to protect consumers from unfair and deceptive business practices.
However, following yet another set of guidelines from another organization can be overwhelming.
Luckily, the FTC Safeguards Rule for Dealerships is designed to be streamlined and easy-to-follow for all businesses under its jurisdiction.
As a Managed Security Service Provider (MSSP), Intelligent Technical Solutions (ITS) has years of experience in ensuring our clients covered under the FTC regulations have up-to-par cybersecurity. In this article, we’ll break down:
- What is the FTC Safeguards Rule?
- Why does the FTC Safeguards Rule exist?
- 5 Questions the FTC will ask your business
By the end of this article, you’ll know the definition of the FTC Safeguards Rule and how to prepare your business for FTC auditing.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule is a comprehensive consumer protection initiative that requires businesses to take steps to protect consumer information. It is part of the Gramm-Leach-Bliley Act (GLBA). The GLBA was passed by Congress in November 1999 and signed into law by President Clinton on November 12, 1999. It requires financial institutions to protect the security of the personal information they collect from customers.
The FTC Safeguards Rule was enacted in October 2000, but it did not go into effect until April 2001.
The rule applies to any person or organization that operates an Internet-accessible website, app, or digital platform and collects personal information about consumers for marketing use.
The FTC recently created updated guidelines for the FTC Safeguards Rule and moved the deadline for complying with the updated guidelines. Businesses are now required to comply with the new standards by May 9, 2023 (while the previous deadline was on December 9, 2022).
Why Does the FTC Safeguards Rule Exist?
The FTC issued the Safeguards Rule because it found that many companies were failing to meet basic standards for protecting consumer data – leaving consumers at risk of having their personal information stolen by hackers.
In short, the Safeguards Rule exists because of the threat posed by cyber-attacks against businesses – both large and small – across America.
Read: 10 Best Cybersecurity Tips & Practices in 2022 From Experts
5 Questions the FTC Will Ask You
Like it or not, the FTC will ask you a few questions when you process your FTC compliance certificate. They might even set up formal interviews and on-site visits to confirm each detail. But don't freak out! The FTC is there to help you protect yourself and your business from scam artists and fraudulent transactions.
Here are the questions they’ll ask you and how to prepare your business.
1. Do you have a WISP?
Auto dealers are required to have a Written Information Security Program (WISP). A WISP is a document that describes the policies, procedures, and controls in place for protecting sensitive personal information, and it is the #1 FTC Safeguard Must-have.
This document will help you identify your company’s internal and external risks related to security breaches of customer personal information and theft of dealer assets. It should include:
- A description of how you assess these risks at least annually;
- An analysis of your most significant internal and external risks; and
- The steps you plan on taking to mitigate those risks.
2. Do you have an OIC (Officer-In-Charge) for your dealership’s WISP?
The OIC is the person who will run your dealership’s WISP and is responsible for making sure the WISP is planned and implemented properly. He or she should be someone with a lot of experience in the automotive world and a strong IT background.
Because they will also serve as the point of contact for the FTC, they need to have strong communication skills and must have worked on the WISP from the beginning. They’ll need to explain your WISP clearly to the FTC representative and be confident with the work they’ve done for the WISP.
3. Do you assess your cybersecurity on a periodic basis?
The answer to this question should be yes. If the answer is no, it is time to start thinking about how to do it. There are many companies today that have a dedicated team or person who helps them with their cybersecurity assessment.
Cybersecurity assessments aim to check for any vulnerabilities within your network. These vulnerabilities can be exploited by hackers and other cybercriminals to gain access to sensitive data such as credit card numbers, social security numbers, and other personal information.
Your OIC can take responsibility for the routine assessments but must have a dedicated team to back him up when going through the process.
It is important to get a professional assessment done on your network because these professionals know what they are looking for when they perform this type of service for clients. While you thoroughly know your company’s network, there still could be things that are overlooked when conducting a cybersecurity assessment due to this familiarity.
4. Do you conduct security awareness training for your staff?
It is a good idea to conduct security awareness training for your staff. This can help them understand the importance of cyber security and how they should protect their accounts and computers. It is also a good way to educate them on what they should do if they suspect that they have been hacked or compromised.
5. Do you assess your third-party providers for their cybersecurity policies?
If you’re outsourcing any part of your business, make sure that you do some due diligence on them. Ask them about their cybersecurity policies and assess whether or not they have adequate security measures in place. This can help reduce the likelihood that your data will be compromised by a third party.
Ready to Implement the FTC Safeguard Rule for Your Auto Dealership?
The FTC Safeguards Rule is intended to keep consumer data safe, but it can be tricky to follow if you don’t have the right people for the job.
As an MSSP, we’ve dedicated our resources to finding the best people for the job.
If you’re ready to implement the FTC Safeguards Rule for your dealership, set up a meeting with our IT experts. However, if you want to do more research about FTC guidelines, check out "10 FTC Safeguard Rule Changes & What It Means for Auto Dealerships"